WinApiOverride
- Attach to all new processes :
On Vista or higher, csrss can be used instead of driver to spy created processes (drivers are no more required, and so driver signing not required)
Better virtual machine shared network drive support
- Added threads window to access and act on hooked processes threads (accessible from main window and break dialog)
- Added all call stacks retrieval at once (accessible from main window and break dialog)
- Small bugs resolution, user interface improvements

WinApiOverride
- Improvement : New keyword "DontCheckModulesFilters" : allow to bypass modules filtering for some functions calls. Available for monitoring files and overriding dll
- Improvement : Support of debugger software control flow change after an uncatched exception occurs inside a hooked function
This allow people developping overriding dll to change flow after an uncatched exception occured inside their dll to do more debugging
- Bug correction : small bugs on filtering filters solved

StubResolver tool added : allow to know where the API-MS-WIN-CORE-XXX.dll are redirected (for Vista and Seven)

Registry Emulation example added to help people developping portable applications Pre Alpha version only

WinApiOverride
- Plugin support. Overriding dll can communicate with plugins too.
- Monitoring file PointedDataSize extension. Now you can write ":PointedDataSize=ArgU*ItemSize" where ItemSize is the size of a single item. For functions likeMydll.dll|void MyFunction(DWORD* ArrayOfDword:PointedDataSize=Arg2*4, SIZE_T ArrayItemsCount)
- .NET static file loading bug introduced in 5.2 version solved (Thanks to Noybdh for report)
- Bug solved in .Net : calling convention was not set correctly in some cases
- Avoid monitored or overrided api to be bypassed by dll unloading and reloading (Thanks to Jung Woo Young for report)
- SYSTEMTIME parsing bug in case of bad wDayOfWeek value solved

- Added a static library WinApiOverride.lib project and small application example in sources (located in WinAPIOverride32\_lib directory),
for developpers who want to use WinApiOverride core components
- Small GUI changes
- Small bugs corrections

WinAPIOverride :
- New hooking way
No stack pointer change
No base pointer change (allow to hook functions compiled with /Oy optimization)
Exceptions are not catch and rethrown but just spyed, and exception registers are logged
Call analysis doesn't require the "try to retreive call stack" option
- support of __thiscall and __fastcall calling convention
- first try of .NET monitoring and overriding (Framework version 1.0 and upper supported) Notice: should be concidered as beta
- Remote calls : new calling convention supported, .NET support
- Some code optimization
- Some bugs removal

- New version WinApiOverride for bug correction: since v4.0.1, when starting from command line all columns were hidden
(Thanks to Richard Pirk for report)

Version 4.0.2 March 09 2008

- New version WinApiOverride to correct int32 formating bug due to bad SHORT cast (bug introduced in 4.0.0 version)
(Thanks to hanimaro to report it, cause bug was corrected in my working version, and so I thought bug wasn't in published version)

WinAPIOverride :
- Zombie length size disassembler added for more automatically powerful hooks
- Callstack and call stack parameters retrieval for all functions calls (option)
- Callstack post call analysis to easely hilight subfunctions
- Size of a parameter can be defined according to another parameter value : by the way for ReadFile we can use kernel32.dll|BOOL ReadFile( HANDLE hFile, LPVOID lpBuffer:PointedDataSize=Arg4, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)|Out
- Datation changed from milliseconds to microseconds
- Multithreaded remote calls : you don't need to wait the end of the first one to do another one.
- New saving files format .xml.zip (a zip file containing an .xml) to earn space on hard drive. Of course, the old file format is still supported.
- Dll ordinal only fully supported (at least)
- Support UNICODE_STRING and ANSI_STRING as their full struct not only the string content like in older versions
- Monitoring file debug mode added
- New hooking tutorial added

Monitoring files :
- Size of a parameter can be defined according to another parameter value
- new keywords : DLL_ORDINAL, FirstBytesCantExecuteAnywhere, FirstBytesCanExecuteAnywhereWithRelativeAddressChange, FirstBytesCanExecuteAnywhereWithRelativeAddressChange=
- First bytes can execute anywhere size grow from 20 to 64 bytes

Bug Corrections :
- "Load in all new process" blue screen that can appear on multiple core processor at hook stop removed (thanks to Arno Garrels for reporting trouble with solution)
- PE parsing (lots of bugs)
- First argument lost in command line for option "Attach at application startup" solved.
- some minor changes to generic monitoring files

- Ordinal log number added for sorting results
- modules filters bug in Unicode version removed (Ansi version not affected)
- other small bugs removed

Version 2.1.0 June 17 2006

WinAPIOverride
- Caller address is presented as raw and relative from module
- Filters can be defined depending calling module
- Injection in suspended mode works for all applications now
- Better injection performances when injecting to all applications
- New faking dll source code provide as tutorial
(src code available under Tools\Process\APIOverride\FakeAPIDllSample\HideMe directory)
It shows you how to hide yourself from the hooked process. The HideMe.dll comes with the binaries archives.
It's only a proof of concept, handles are not hidden

Dumper
- Fully changed for better performance
- Allow Allocate, Read, Write or Free memory in remote processes
- Allow to make raw dump
- Allow to set processes/threads priority, suspend, resume or terminate them
- Retreives Eip of threads (and if thread is not system locked, its context)
- Show process threads and parent Id

- Can hook multiple processes in same interface
- Can hook all created processes (filters can be defined)
- Better process hooking at startup handling
- Unicode conversion
- New InNoRet hooking type: it allows to send log to WinApioverride before the function is called, so even function crash we get logs
- Monitoring files parsing improved: now you can let the return type of the function; parameter keywords const, struct, far, in, out, inout are ignored; pointer detection troubles solved (char *psz type will now be recognize as char*)
- Some memory leaks removed
- The injected library is staticaly linked only with kernel32 (user32.dll will be loaded only on errors). So hooking can be done sooner